Computer Crime Research Center

Phishing: Is Instant Messaging Secure?

A recent report from Websense, a security firm and the Anti-Phishing Working Group shows how recent phishing trends have been changing and are in turn getting more and more devious.

According to the report, March saw a continuation of a trend of using cousin domain names to host phishing sites. Consequently, the use of alternate ports has decreased and the standard HTTP port 80 is in use at 96% of all phishing sites reported.

In addition to this, phishers are using branded institutions to draw victims to the phishing site. According to the report, 81% of these brands were financial institutions, which remained at the top of phishers' list. The report showed that most of the phishing websites had been hosted in the United States, the percentage being about 34%. China is at the second position at 12% and Korea is at 9%.

Over the last two months, Websense has seen a dramatic increase in the volume of phishing based malicious code attacks, in particular, code that targets the Portuguese language. This code is designed to run on a machine and log keystrokes when a connection is made to predetermined websites. The keylogger sends that information to a remote location for the purpose of identity theft.

From November 2004 through December 2004, Websense researched and identified an average of 1-2 new phishing keylogger variants and 10-15 new malicious websites hosting this code per week. In comparison, from February 2005 through March 2005, research has identified 8-10 new keyloggers and more than 100 malicious websites, per week, which are hosting keylogger variants.

A variety of attack vectors are delivering malicious code to end-user's machines. To date, Websense Security Labs have seen attacks from sources such as websites that host adult entertainment and shopping content. These attacks exploit Internet Explorer vulnerabilities to run code remotely without user interaction, Instant Messaging (IM) messages and IM worms, which blast a message to users enticing them to visit a remote website and run code which is hosted on that site.
Original article